People’s Republic of China (PRC) cyberattacks increasingly have drawn the attention of global governments, security experts and businesses. Among these intrusions, the so-called Salt Typhoon hack stands out for its scale and sophistication, targeting critical infrastructure and government systems worldwide.
The attack, revealed in late 2024, demonstrates the brazen nature of PRC digital espionage operations and underscores the complex legal landscape surrounding cybersecurity, international relations and cybercrime prosecutions.
Salt Typhoon is a group of hackers working for the Chinese Communist Party (CCP) Ministry of State Security. Its attack primarily targeted key infrastructure systems in Asia, Europe and the United States.
The hackers used malware and other malign measures to access and steal sensitive data from senior government employees, telecommunications companies and private entities. Their cyber tools infiltrated cloud infrastructure and evaded traditional online defenses.
The hack is part of the PRC’s strategy of espionage and information theft. Evidence suggests that the primary motivation was to access sensitive U.S. voice and text data, obtain state secrets, and create a persistent presence in telecom networks. The vast scale of the breach has raised concerns about its long-term effects on international security.
Such state-sponsored cyberattacks trouble legal experts. Under international law, internet espionage that targets government or critical infrastructure can be considered a breach of sovereignty and an act of aggression. Yet legal frameworks for cyberattacks are still theoretical with no clear consensus on what constitutes a “cyber act of war.”
This ambiguity complicates responses from affected states. While European countries and the U.S. have condemned the PRC’s involvement in the Salt Typhoon attack, direct retaliation is fraught with legal challenges. It is difficult to apply traditional concepts of warfare or sanctions to cyberattacks, especially when the attackers are ensconced behind a state that denies involvement.
Digital infiltrations often span multiple countries, making it difficult to determine where the crime occurred or which laws apply.
European Union members and the U.S. may seek to prosecute the perpetrators under extraterritorial laws, which allow for legal action against individuals who commit internet crimes that harm citizens or businesses. But enforcing such laws across borders is a daunting task. International cooperation in such investigations can bog down due to differences in national security policies, resource allocation and legal classifications of evidence.
The Salt Typhoon hack highlights the need for strong universal cybersecurity regulations. Many countries have enacted laws such as the General Data Protection Regulation in Europe and the U.S. Cybersecurity Information Sharing Act. These laws primarily focus on protecting private companies and individuals rather than addressing state-sponsored threats, however.
As state-sponsored hacking becomes more prevalent, the question of how to hold governments accountable becomes crucial. Should international bodies such as the United Nations step in? Or should individual nations impose penalties on countries suspected of orchestrating such attacks? Both options have enforcement limitations.
The lack of an international treaty governing state-sponsored cybercrimes makes it difficult to impose sanctions on the PRC or other nations involved in such activities. Even if punitive measures are taken, they may not deter future attacks, especially when countries such as the PRC continue to make cyber espionage an integral part of their national security strategy.
The Salt Typhoon hack marks a significant moment in the evolution of cyberwarfare and espionage. As state-sponsored attacks become more common, the world faces difficult questions about how to adapt legal frameworks to address this new form of conflict.
Increasing cyberattacks underscore the need for global cooperation in cyber defense and the establishment of clear rules governing state conduct in cyberspace.
